The case for white hat hacking of our election software

Congress did not pass the bipartisan Secure Elections Act. This means in the two years since Russian interference disrupted our election systems, we have failed to improve security around the technologies that support our election processes.

Legislating a fix to the problem is proving futile. It’s time to ask ourselves – as citizens, elected leaders, technologists and those interested in protecting our democracy – what else we can do to improve election security.

A recent report delivered to Capitol Hill found that “election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack,” according The Wall Street Journal.

Shouldn’t we view our elections through the lens not just of security, but safety? Think about it this way: we have the NTSB for travel, the FDA for food, OSHA for workplace safety. We would scarcely accept 50 percent of cars on the road to be faulty or 50 percent of food on grocery store shelves to be tainted.{mosads}

That’s why states should open up voting systems and machines to the white hat hacker community. Much of the technology we enjoy using today, our smartphones and apps and internet-connected vehicles, is safer and more secure because it’s been probed by hackers to expose and report vulnerabilities that are then corrected. The software that powers the digital world, including election systems, can be made more secure via bug bounties that enable the hacking community to get to work.

Hackers can be exceptionally creative, constantly thinking outside the box. Security experts close to a product will have made assumptions that attackers will ignore. Bringing in outside hackers with their own attack tools will uncover new risks. This is one of the clear values of bug bounty programs. Keep in mind, this is not a replacement for sound security engineering as part of the development process, it should be in addition.

State governments should accept offers of companies to perform penetration tests of election websites. Election system hardware and software vendors, long opposed to scrutiny, risk their reputations each year they deemphasize security. Both states and their election system vendors should embrace ongoing bug bounty programs that facilitate collaborative disclosure of security flaws.

You can look to the bug bounty programs of Google and Facebook to see this in action. These organizations, among the most prolific and profitable companies ever built, have internal security teams that are working to secure the software they create, but interesting bugs are still found by outsiders. This is the example government must learn from. One Google bug bounty program received 470 qualifying vulnerability reports in the past year, each with the potential to make Google software more secure.

The risks of not opening up election software and equipment to white hat hacking are straightforward: attackers get access to software and systems and find bugs that they don’t report. They then later exploit these bugs during an election.

Making bounties high will attract lots of attackers who will want to report what they find.

In short, more eyes on the problems is always going to lead to better security.

Our society and culture values a safer world. Allowing these systems to be hacked, working along with election system vendors, is our most sure-fire bet toward creating safer elections. The results may be ugly at first, but we’ve experienced the alternative, and no one wants a repeat.

Chris Wysopal is Chief Technology Officer at CA Veracode, where he oversees technology strategy and information security. Prior to co-founding CA Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software. He is the author of The Art of Software Security Testing.